Security Pros Struggle With Cyberthreat Angst

As the volume and sophistication of cyberattacks increase, system defenders in the trenches are losing confidence in their ability to protect their organizations' information assets, suggests a survey released last week by Websense and the Ponemon Institute.

The survey of almost 5,000 global IT security pros found that more than half of them (57 percent) felt their organizations were unprotected from sophisticated cyberattacks and nearly two-thirds of them (63 percent) doubted they could stop the exfiltration of confidential information from their systems.

Although the organizations participating in the survey had security systems in place to fight threats, the security pros didn't have a lot of faith in their effectiveness. More than two-thirds of them (69 percent) said cyberthreats were falling through the cracks in their systems.

"That speaks volumes for where their confidence factor is today," Debrosse said.

What Worth Data?

The survey also found that nearly half the companies (44 percent) had experienced one or more substantial cyberattacks in the last year.

A majority of the organizations, though, had very little information about the nature of the attacks. Fifty-nine percent of the companies said they lacked adequate intelligence or were unsure about the impact of the attacks. Almost as many -- 51 percent -- noted their security solutions either couldn't tell them what the root cause of an attack was or were unsure what it was.

The security pros' concerns over data loss didn't seem to be shared by the brass in their organizations, based on the survey. More than three-quarters of the respondents (75 percent) said their companies' leaders didn't equate the loss of confidential data with a potential loss of revenue.

"There seems to be a disconnect here between the value the cybersecurity folks and their leaders are placing on data," Debrosse observed.

Easy Pickings in the Cloud

While data is often described as the family jewels of a company, many of them aren't treating it that way, according to another survey released last week by Thales E-Security on data encryption in the cloud.

That survey of 4,275 global business and IT managers found that 59 percent of their organizations store their sensitive or confidential information in the cloud without protecting it by encryption or any other means.

"That was quite higher than we expected," Richard Moulds, vice president for strategy at Thales E-Security, told TechNewsWorld.

The high number could be explained by a misperception of the data's owners, Moulds noted.

"There's a slightly misguided view about responsibility. There's a sense that if you're using a cloud provider, then somehow that cloud provider is responsible for protecting your data," he said.
"That's a bit misguided," continued Moulds, "because at the end of the day -- because of data breach laws and customer perception -- it's going to come back down to you."

Fear of encryption also may be contributing to why companies shy away from it.

"It can scare people," Moulds observed. "It can be complicated in some cases. It can slow things down, and if you lose the means to decrypt your data, it will remain scrambled forever."

Microsoft Breaks Cadence

With Patch Tuesday only two weeks away, Microsoft decided to trump efficiency with caution and release a patch for a bug discovered in all versions of its Internet Explorer Web browser April 27.

The flaw in some browser code that hasn't changed for close to a decade had been spotted by FireEye being exploited in the wild in a number of targeted attacks by a group skilled in the use of advanced persistent threats.

In making the atypical move, Microsoft heeded the advice of security experts who urged rapid action.

"While this zero-day threat is not widespread yet and is only being used in targeted attacks, we can be confident that the developers of exploit kits are sharpening their pencils and that it won't be long before the exploit is widespread," Roger Thompson, chief emerging threats researcher at ICSA Labs, told TechNewsWorld before the patch was released.

Still, the release of the patch is no reason for a sigh of relief, added Lucas Zaichowsky, enterprise defense architect at
AccessData.

"Undoubtedly, this vulnerability will go mainstream with mass malware once the patch is released and can be dissected to reveal the vulnerability," he told TechNewsWorld.

When it released the IE fix, Microsoft also showed some empathy for Windows XP users, who lost support for their version of the OS on April 8. It included a version of the patch for XP -- along with a reminder that maybe it was about time to upgrade to Windows 7 or 8.

Breach Diary

April 28. AOL confirms that its internal network was compromised the week of April 21, giving hackers access to about half a million email accounts. The accounts were used to send spam and malicious links to the contacts of the accounts' owners.

April 28. John Hopkins University alerts 2,166 students who attended the school from 2007 to 2009 that files containing their names and Social Security numbers were stored on a server accessible by anyone on the Internet. Students are being offered a year of credit monitoring.

April 30. Facebook announces it will allow users to limit the amount of information they give to websites or mobile apps when they use their Facebook credentials to log in to those sites or apps.

April 30. Google announces it has stopped scanning the email accounts of students using its Google Apps for Education service. Google stopped pushing ads to students through the service in 2006, but it continued to scan their email to target ads at the students elsewhere online.

April 30. Boston Medical Center fires transcription service after discovering records of about 15,000 patients were posted to the service's website, which is used by physicians, without password protection.

April 30. Bob DeRodes appointed by Target to be its CIO. His predecessor, Beth M. Jacobs, resigned her post in March in the aftermath of a mammoth data breach at the retailer in which personal and payment card information of some 110 million customers was compromised.

April 30. Canadian Privacy Commissioner releases report revealing that more than a million requests for customer information are made annually to the country's telcos by law enforcement agencies.

May 1. White House releases report on Big Data recommending government regulation of how private companies use the data gathered from their online customers. Report also recommends adoption of a national data breach reporting law.

May 1. Microsoft releases out-of-band patch for Internet Explorer zero day vulnerability discovered earlier in the week by FireEye.

May 1. Electronic Frontier Foundation files lawsuit against U.S. Department of Justice demanding government disclose key Foreign Intelligence and Surveillance court opinions and orders to learn more about the government's mass surveillance programs.

May 2. Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore, discovers vulnerability in two popular open source software programs, OAuth and OpenID. Flaw allows attacker to steal credentials and redirect visitors to a malicious website when they log in to their intended destination.

May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.

June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.

June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.